Debian Project News - May 26th, 2008

Welcome to this year's 3rd issue of DPN, the newsletter for the Debian
community. Steve McIntyre sent a new Bits from the DPL mail. A
serious issue in Debians OpenSSL package has been fixed recently. Debian
is discussing an archive structure for huge packages.

Bits from the Debian Project Leader

Steve McIntyre sent a new release of his Bits
from the DPL reporting his recent activities as elected Project
Leader. He starts by pointing to
severalinterviewshegaverecently
and continues by informing about personal changes in core teams.
Jonathan McDowell has been added as keyring maintainer, and is already
working together with James Troup on easier integration of keyring
maintenance and our ldap system for better cooperation with the Debian
System Administrators. He thanks Anthony Towns, who stepped down from
most of the teams he was in.

Last but not least he talks about the upcoming
Debian Conference in Mar del
Plata, Argentina. The organizational efforts are going on pretty well,
with announcements about papers, talk selection and travel sponsorship
soon to be sent out. But as always, the organizers are also still
looking for more companies and individuals to sponsor the conference—please contact
sponsors@debconf.org if you want to
help.

OpenSSL weakness in Debian affecting many other packages

Luciano Bello
discovered
that the random number generator in Debian's openssl package is
predictable. This is caused by an incorrect Debian-specific change to
the openssl package
(CVE-2008-0166).
As a result, cryptographic key material may be guessable. Affected keys
include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in
X.509 certificates and session keys used in SSL/TLS connections. Keys
generated with GnuPG or GNUTLS are not affected, though. However, other
systems can be indirectly affected if weak keys are imported into
them.

Shortly after Luciano's discovery
fixed
packages were created and—due to the seriousness of the problem—a
new OpenSSH package, automatically regenerating possibly compromised keys
and featuring a blacklist for possibly affected user keys
was
released. At the same time a
detector
software
(GPG
signature) has been written and constantly improved since then and
detailed test and upgrade procedures for different software packages
have been
collected.

We are sorry for any inconvenience caused by that and would like to thank
everyone who helped getting this issue solved so fast and without any
major consequences.

Discussion on how to prevent such accidents in the future has already been started on
variouslists.

Perl 5.10 Transition

Marc Brockschmidt
announced
the completion of the recently ongoing transition to Perl 5.10 as default version for the upcoming
stable release.

He noted that for this transition over 400 packages got updated in
testing, including updates for heimdal, clamav and sendmail/libmilter.
The next scheduled, smaller updates are planed for xulrunner, ocaml,
ffmpeg, poppler and nautilus.

Backports.org unknown?

During his triage of older bugs reported against OpenOffice.org,
Lior
Kaplan noticed, that many users are not aware of
backports.org, an unofficial service
providing updated packages for users of the stable version of Debian.

In the following discussion several proposals for better integration
of that service into Debian were made. Gerfried Fuchs
summarized
the current state.

Huge Packages in Debian

Members of the
Debian
Games Team (and other maintainers of generic large data packages)
wondered about size limitations of the Debian archive (and its
infrastructure) regarding packages. Jörg Jaspert joined the discussion as ftp-master
and
summarized
the possibilities to solve the issues. He's favouring to create a new
archive for large packages (containing architecture independent data) and
if possible a change of the Debian Policy allowing packages depending on
such data only available in the new archive to stay in main.

State of SANE

Since SANE (scanner access now easy, a framework for accessing
scanners) is working on improving its interface, Julien Blache gave an
overview on his
plans for the SANE packages for the upcoming release, Lenny. SANE
will need to stay on the current interface, but Julien plans to backport
some important improvements from the development branch and asks for some
feedback.

Hints for new Free Software Projects

Francois Marier
gave
hints on how to choose a license for free software projects. He
concludes that using a license incompatible with mainstream licenses like
the GNU General Public License is as bad as writing an own license.

Sven Joachim
wondered
about the state of translation packages for enigmail, a GnuPG tool for
the mail client Icedove.
Alexander Sack
replied,
that he will add them to the main package.

Jörg Jaspert
proposed
to standardize headers added to e-mails by various tools used by
Debian.

Enrico Zini gave
a small howto on Conditional partitioning in debian installer for
unattended installations preserving some partitions. He already
wrote a
small howto on creating bootable USB keys with simple-cdd.

Since the database used by
packages.debian.org covers
only supported and upcoming releases, Frank Lichtenheld created
archive.debian.net which is
capable of searching through archived releases, too. Sadly it has some
caveats.

Martin Krafft
started
collecting noteworthy additions, changes and other improvements in
the upcoming stable Debian release, Lenny, in the wiki. Please help and
contribute to that page.

Work-needing packages

Currently 433 packages are orphaned and 104 packages are up for
adoption. Please take a look at the recentreports
if there are packages you are interested in.

Want to continue reading DPN? Please help us create
this newsletter. We still need more volunteer writers who watch the
Debian community and report about what is going on. Please see our
HOWTO
contribute page to find out how to help. We're looking forward
to receiving your mail at
debian-publicity@lists.debian.org.